Fix OpenSSL 3 support

As of OpenSSL 3.0.0, EVP_PKEY_get0() returns NULL unless the key is a legacy key. This crashes normal use of libtls. Instead, use the newer EVP_PKEY_get0_*() functions. These require OpenSSL 1.1.0, but we provide a workaround for older versions.
toofishes · Feb 19, 2022 · bfc4a94 · bfc4a94
1 parent e051e24
commit bfc4a94
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 3 deletions.
diff --git a/usual/tls/tls_compat.h b/usual/tls/tls_compat.h
@@ -79,8 +79,15 @@ static inline X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *ctx
 	return NULL;
 }
 
+/*
+ * We need these specific functions for OpenSSL 3.0.0 because the
+ * generic function no longer works.  But the new ones only exist in
+ * 1.1.0, so in older versions we still use the older one.
+ */
+#define EVP_PKEY_get0_DH(pkey) EVP_PKEY_get0(pkey)
+#define EVP_PKEY_get0_EC_KEY(pkey) EVP_PKEY_get0(pkey)
 
-#endif
+#endif /* OpenSSL <1.1 */
 
 /* ecdh_auto is broken - ignores main EC key */
 #undef SSL_CTX_set_ecdh_auto

diff --git a/usual/tls/tls_util.c b/usual/tls/tls_util.c
@@ -201,10 +201,10 @@ tls_get_connection_info(struct tls *ctx, char *buf, size_t buflen)
 			if (ok) {
 				int pk_type = EVP_PKEY_id(pk);
 				if (pk_type == EVP_PKEY_DH) {
-					DH *dh = EVP_PKEY_get0(pk);
+					const DH *dh = EVP_PKEY_get0_DH(pk);
 					used_dh_bits = DH_size(dh) * 8;
 				} else if (pk_type == EVP_PKEY_EC) {
-					EC_KEY *ecdh = EVP_PKEY_get0(pk);
+					const EC_KEY *ecdh = EVP_PKEY_get0_EC_KEY(pk);
 					const EC_GROUP *eg = EC_KEY_get0_group(ecdh);
 					used_ecdh_nid = EC_GROUP_get_curve_name(eg);
 				}